talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

services/journald: introduce audit option

Browse Source 
We default this option to null ; which is different
from upstream which defaults this to true.

Defaulting this to true leads to log-spam in /dev/kmesg
and thus in our opinion is a bad default https://github.com/systemd/systemd/issues/15324
This commit is contained in:
Arian van Putten 2025-02-05 15:19:25 +01:00
parent 13b1062730
commit ff78e34e0b
1 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
nixos/modules/system/boot/systemd/journald.nix
View File

@ -2,6 +2,7 @@
config, config,
lib, lib,
pkgs, pkgs,
utils,
... ...
}: }:
let let
@ -78,6 +79,23 @@ in
''; '';
}; };
services.journald.audit = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.bool;
description = ''
If enabled systemd-journald will turn on auditing on start-up.
If disabled it will turn it off. If unset it will neither enable nor disable it, leaving the previous state unchanged.
NixOS defaults to leaving this unset as enabling audit without auditd running leads to spamming /dev/kmesg with random messages
and if you enable auditd then auditd is responsible for turning auditing on.
If you want to have audit logs in journald and do not mind audit logs also ending up in /dev/kmesg you can set this option to true.
If you want to for some ununderstandable reason disable auditing if auditd enabled it then you can set this option to false.
It is of NixOS' opinion that setting this to false is definitely the wrong thing to do - but it's an option.
'';
};
services.journald.extraConfig = lib.mkOption { services.journald.extraConfig = lib.mkOption {
default = ""; default = "";
type = lib.types.lines; type = lib.types.lines;
@ -116,7 +134,10 @@ in
"syslog.socket" "syslog.socket"
]; ];
systemd.sockets.systemd-journald-audit.wantedBy = [ "systemd-journald.service" "sockets.target" ]; systemd.sockets.systemd-journald-audit.wantedBy = [
"systemd-journald.service"
"sockets.target"
];
environment.etc = { environment.etc = {
"systemd/journald.conf".text = '' "systemd/journald.conf".text = ''
@ -131,6 +152,7 @@ in
${lib.optionalString (cfg.forwardToSyslog) '' ${lib.optionalString (cfg.forwardToSyslog) ''
ForwardToSyslog=yes ForwardToSyslog=yes
''} ''}
Audit=${utils.systemdUtils.lib.toOption cfg.audit}
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
}; };